RSS feed

Group membership filters with mutiple uids

[Date Prev][Date Next] [Thread Prev][Thread Next]

Group membership filters with mutiple uids

I've recently begun using nss-pam-ldapd under FreeBSD as a replacement for 
nss_ldap. It's almost working perfectly, except for one obstacle relating to 
ssh authentication using multiple uids when ssh access is restricted based on 
group membership.

For example, an ldap user like me might have both "dustinwenz" and "dustin" 
uids, but only the first uid is listed as members of groups on the directory 
server. So, when I login as "dustin", nslcd looks for 
"&(objectClass=posixGroup)(|(memberUid=dustin)" and never finds my group 
membership (thus rejecting my ssh connection).

If I remove all group restrictions for ssh, I can successfully login as my 
short uid, and nslcd is then smart enough to translate that short name to the 
primary "dustinwenz". I can see this in the debug messages: username changed 
from "dustin" to "dustinwenz".

Is there any for nslcd to perform that username switch prior to searching for 
group membership?


        - .Dustin
To unsubscribe send an email to or see